Steve Langasek on 2006-08-16 18:07:36 -0700: > Alec, > > On Wed, Aug 16, 2006 at 03:04:51PM -0700, Debian Bug Tracking System > wrote: > > > > severity 332433 serious > > Why? The original bug was filed by a member of the security team, and > he tagged the bug as "important". Please don't change bug severities > without some explanation.
I didn't mean to do a drive-by severity change; I used the bts script
and put a comment but apparently forgot to escape the pound sign. I'll
remember that in the future and will try to track down the other ones
I've raised in the same way over the past day or two.
This vulnerability allows a malicious user to overwrite arbitrary files
owned by the user running cfengine, probably root - not an issue that
should be left in for etch. This issue "introduces a security hole
allowing access to the accounts of users who use the package" (via a new
/etc/{passwd,shadow} or by ssh keys) and/or "causes (serious) data
loss" (quoting from etch_rc_policy.txt).
signature.asc
Description: Digital signature
